cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
fverdi
Explorer
Member since: ‎04-06-2017
‎11-03-2020
Community Statistics
Posts 7
Solutions 2
Karma Given 4
Karma Received 1
Member Since ‎04-06-2017
Activity Feed
Topics I've Started
No posts to display.
View All

Re: How to restrict a user role to have access onl...

by in Splunk Search
‎02-05-2019 09:48 PM
‎02-05-2019 09:48 PM
Alright, I think I understand what you're looking for. There's probably more than one way to do it, but here's a method using the web ui: From the Web UI, go to: Settings > All Configurations In the App Context drop-down, choose Search & Reporting (search) Check the Show only objects created in this app context box (or uncheck it depending on what you're targeting) Change Results per page to 100 Sort by Config type Scroll to locate all of the items where the Config type is view You should see a list like this: alert alerts charting dashboard dashboard_live dashboards data_model_editor data_model_explorer data_model_manager data_models dataset datasets field_extractor flashtimeline integrity_check_of_installed_files job_manager licenseusage live_tail mod_setup orphaned_scheduled_searches pivot report report_builder_define_data report_builder_display report_builder_format_report report_builder_print reports search show_source it's pretty easy to copy/paste these tables into MS Excel to manipulate the data if you need to ... View more

Re: In the Send results as Excel Add-on, could you...

by in All Apps and Add-ons
‎02-05-2019 09:28 PM
‎02-05-2019 09:28 PM
To officially request a feature, submit a P4 Enhancement Request ticket: http://www.splunk.com/index.php/submit_issue ... View more

Re: Any idea how I can troubleshoot this indexes.c...

by in Splunk Enterprise Security
‎02-05-2019 09:07 PM
‎02-05-2019 09:07 PM
Are you starting Splunk from the shell? Are there any errors presented there? If so, what are you seeing? Take a look at: $splunk_home/var/log/splunk/splunkd.log There are several other log files in that directory that may be worth looking at including crash dumps. ... View more

Re: Data Ingestion to Cluster

by in Splunk Dev
‎01-31-2019 08:41 AM
1 Karma
‎01-31-2019 08:41 AM
1 Karma
There could be a number of things wrong here, and we'll need more information to determine what the cause is. There are a number of ways to do this, but here are some steps that I recommend trying. Let's start in order from the file to the indexer: 1. Confirm the permissions on the file are configured to allow Splunk to read the file 2. Confirm the file contains new data that has not already been read-in by Splunk. If you're trying to ingest the same file twice, Splunk will not do this because it's already marked as read in the fish bucket 3. If this is just test data, add a new line/new event to the file to be read in 4. Use btprobe to remove the file from the fish bucket so Splunk will read it in again ./btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file /home/ec2-user/Test --reset 5. Double-check your monitor stanza, keep in mind that it is case-sensitive Is this file being read in by the UF? If so, run searches for index=_* host=<UF hostname> error OR warn and index=_* host=<UF hostname> "/home/ec2-user/Test" and share any noteworthy results, or if there is a lack of results, that is noteworthy too. On the indexers: 1. Confirm that the new index is properly configured 2. Are you currently receiving any error messages in the top right corner of the Splunk Web UI? 3. Attempt to cut the UF out of the equation by dropping the file on one of your indexers using a oneshot ./splunk add oneshot /var/log/applog -index Test_Index and see if/how that works (not as a permanent solution, but as a troubleshooting step to isolate the issue) 4. Run a searches for index=_internal host IN (<idx1>,<idx2>) error OR warn and index=_internal host IN (<idx1>,<idx2>) "/home/ec2-user/Test" and share any noteworthy results. On the search head: 1. Be sure to run searches for all time, in case there is an issue with time stamp extraction index=Test_Index earliest=1 latest=now() 2. Run a search to make sure the data didn't somehow end up somewhere else index=* source="/home/ec2-user/Test" earliest=1 latest=now() 3. Finally, let's look for any internal events related to this file index=_* source="/home/ec2-user/Test" earliest=1 latest=now() and note which host they're coming from if you've attempted to read this file in from multiple hosts. Report back with your findings and we can continue to move forward to narrow the troubleshooting and identify the root cause(s). ... View more

Re: Why is the Indexer ignoring my timezone settin...

by in Getting Data In
‎01-31-2019 07:02 AM
‎01-31-2019 07:02 AM
The hostname is being parsed using the system/default props and transforms: system/default/props.conf [syslog] TRANSFORMS = syslog-host system/default/transforms.conf [syslog-host] DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s FORMAT = host::$1 As you mentioned, the host is initially set as the local host of your UF they came from rather than from the event itself, at that point ALL events have the same host. Then, timestamp is extracted. Finally, transforms are run, the above host transform runs, and host is extracted...but it happens after the timestamp has already been extracted. The point is, this will never work. You can never extract the host before extracting timestamp. So, you will need to use a different method like one of the two I suggested in my initial post. ... View more

Re: Why is the Indexer ignoring my timezone settin...

by in Getting Data In
‎01-31-2019 06:39 AM
‎01-31-2019 06:39 AM
The only way it could be parsing the multiple different hostnames from that file is by using transforms. So it's not working for one of two reasons: You're not parsing the hostname so your hostname stanzas don't applying You are parsing them and the timestamp is already set before that transform is read. Since your sourcetype is "syslog" that is a pre-trained sourcetype that Splunk comes with host extraction transforms for, and those are how the hostname is being extracted. The problem is timestamp extraction always comes before transforms. Bottom line is that the parsing multiple hostnames from an individual file and then trying to configure TZ will not work because the timestamp will always be extracted before the hostname is parsed. This configuration would never work, regardless of any source or sourcetype stanzas. No matter what stanzas may or may not exist, the timestamp will always be extracted before the host transform is run. ... View more

Re: Why is the Indexer ignoring my timezone settin...

by in Getting Data In
‎01-30-2019 05:15 PM
‎01-30-2019 05:15 PM
Since you have multiple hosts writing to one file, I'm going to assume you're using a transform to parse the hostnames and then your thought is that it will apply your time zone setting by that host. The problem is the time is set prior to transforms running, so the hostname is parsed after the timestap has already been completed by Splunk, and by that point it is too late. A workaround could be to either separate the hosts by time one into different files (this could be achieved by using a different port for each TZ). Then you can configure the TZ per file. Another workaround would be to modify your syslog config to write each host to a different directory by adding the host variable to the path. Then you can use a path segment to set the host rather than a transform, and then your hostname:: props will work., ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-03-2020 12:56 PM
Karma from
View All
Karma given to